I have been toying with this question for quite some time. Is hashed data considered as personal data? By hashed, I mean encrypted or pseudonymised, to me they are similar by definition so it can be used interchangeably. The difference is in the level of sophistication in the algorithms and how difficult it is to convert the data back to original personal data. The point is, it is an act of transforming personal data into a string that no one can recognize that it is personal data except for the person who holds the key to unlocking it.
EU’s GDPR (General Data Protection Regulation) defines pseudonymisation as the processing of personal data in such a manner that they can no longer be attributed to a specific data subject without the use of additional information, with technical and organisational measures to ensure that they are not attributed to an identified or identifiable natural person.
So if you ask me, it is not. Take name for example, which is categorised as PII (Personal Identifiable Information), once it’s hashed, how on earth can you identify/read the name, it is meaningless. But the problem with lawyers now is that they think it is still classified as personal data and hence the ownership of the hashed data is limited to the owners or companies or 3rd parties bounded by an agreement.
That’s one of the main challenges for companies to collaborate and share customers data to create more value. The good thing I know is there are a few people and companies out there trying to solve this issue so that big data can be leveraged further. Privacy has always been the main concerns when it comes to this. Until then, harnessing the value from big data is limited.
I’m actually pressing for time today so I feel that I haven’t done a job to articulate this topic well. Will find more time to dig this further and talk about it as it is definitely one of my topic of interest.
Dayana Omar 